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semigroups including the Cha-Ko-Lee-Han-Cheon braid group cryptosystem 
have security based on the MSCSP. We give two algorithms to solve the DP 



l/^ ■ using the MSCSP. 

2. Introduction 



At the CRYPTO 2000 conference the seminal KLCHKP (Ko-Lee-Cheon- 
Han-Kang-Park) braid group public- key cryptosystem was published see [2]. 
An updated version of the KLCHKP cryptosystem which is the CKLHC (Cha- 



^ ■ Ko-Lee-Han-Cheon) braid group cryptosystem was introduced at ASIACRYPT 

2001 conference {lU the claim of the authors was the updated cryptosystem is 



based on the DH-DP (Difhe-Hellman Decomposition Problem). We show that 
the KLCHKP and CKLHC cryptosystems are based on the MSCSP and it has 
been assumed for several years the security of these cryptosystems are based on 
I the DH-CP and DH-DP respectively, we also show the related cryptosystems 

If^ • may be based on the MSCSP and hence give a new way to break the KLCHKP 

I and CKLHC cryptosystems and the related cryptosystems for some parameters. 

QQ ■ It has been shown there is a linear algebraic attack on the KLCHKP and CKLHC 

' cryptosystems but our attack is more practical. 

: 

, 3. Hard Problems in Non-Abelian Groups 

Definition-The MSCSP (multiple simultaneous conjugacy search problem) 
[3] is find elements g G G such that j/i = gxig~^ , given the publicly known 
information: G is a group, Xi,yi G G with Xi,yi = axia~^, 1 < i < w, with the 
' secret element a ^ G. 

Definition-The CSP [3] can be defined as the MSCSP with u=l. 
Notation- We refer an example of the MSCSP as {{xi,X2, ...,Xu), {yi,y2, ■■■,yu)) 
with solution g. 

The DP (Decomposition Problem) [6] is defined as follows. 
Public Information: G is a semigroup, yl is a subset of G. x,y G with y = axb. 
Secret information: a,b E A. 

Objective: find elements f.g^A such that fxg — y. 

The definition of the DP above generalises the definition of a less general version 
of the DP given in [8], [3] and [7]. The less general version only differs from 
the above definition of DP because G is a group and A is a subgroup. In 
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our notation in all of this paper we omit the binary operation * when writing 
products so for example f * x * g is understood to mean fxg. We require that 
* is efficiently computable. 

The CSP (Conjugacy Search Problem) [T], [3] is defined as follows. 
Public Information: G is a group. x,y with y = f~^xf. 
Secret Information: f ^ G. 

Objective: find an element g ^ G such that g^^xg — y. 

Notation- We refer an example of the CSP as (x, y) with solution g. 

The DH-DP (Difhe-Hellman Decomposition Problem) [8], [3j is defined as 
follows. 

Public Information: G is a group. A,B are subgroups of G with -B] = 1. 

x,ya,Vb &G with ya = axb, yb = cxd. 

Secret Information: a,b G A, c,d€zB. 

Objective: find the element cyad{— ay^b — acxbd). 

The DH-CP (Diffie-Hellman Conjugacy Problem) is the specialisation of the 
DH-DP with a = and c = 

We now re-define the DP and DH-DP above as used in our key agreement 
protocol given in [T2] . In the rest of this paper below the DP and DH-DP will 
mean their re-definitions. 

The re-definition of the DP is as follows. 

Public Information: G is a semigroup. A, B are subsets of G. x,y d G with 
y = axb. 

Secret Information: a £ A, b E B . 

Objective: find elements f d A, g d B such that fxg = y. 
The re-definition of the DH-DP is as follows. 

Public information: G is a semigroup. A, B, G, D are subsets of G. x, ya, yb & G 
with ya — axb, yt — cxd. 

Secret Information: a e A, b e B, c e C, d £ D.[A,C] ^ 1, [B, D] = 1 
Objective: find the element cyad (= aybb = acxbd). 

The EDL problem is to decide if the discrete logarithm of two elements in 
an abelian group are the same [9] . The EDL type problem is as follows [9] . 

Public information: G is a group, a, b, ya, yb & G with ya = uav, yb = wbx. 
Secret Information: u,v,w, x £ G. 

Objective: Decide if Faiya) n Fb{yb) ^ 0. Where Fp{a) = {(a, 6) £ B^ x -B„ 
:a = a/Sb}. 

We redefine the EDL problem more generally as follows. 
Public information: G is a Semigroup. A, B, C, D are subsets of G. a, b, ya,yb & 
G with ya — uav, yb = wbx. 

Secret Information: u £ A, v £ B, w £ G, x £ D. 

Objective: Decide if Fa{ya) n Fb{yb) / 0. Where Ff3{a) = {{a,b) G B„ x B„ 
:a = a/Sb}. 

4. Key Agreement Protocol Using Non-Commutative Semigroups 
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In |12| we introduced a key agreement protocol and a variant of it which we 
briefly describe below. 



• Phase 0. Initial setup 

i) G is chosen and is publicly known. 

A first method to select the parameters is to select publicly known subsets 
or privately known subsets La, Lb, Ra, Rb and Z of G are chosen for 
which either property a) below is true or property b) below is true. Let 
z G Z with z the publicly known element which is the value of x in the 
definition of the DH-DP used in the example of the DH-DP in our new 
authentication scheme. 

Following [7] let g G G for G a group, Ccig) is the centraliser of we 
sketch the modifications to the authentication scheme (and these apply to 
the key agreement protocol described below) to give two further methods 
to select the subgroups as follows. Publicly known subsets or privately 
known La, Lb, Ra, Rb and Z of G are chosen for which either property 
a) below is true or property b) below for the second and third methods 
below. 

The second method to select the subgroups is A chooses (oi , 02) G GxG and 
pubhshes the subgroups as a set of generators of the centralisers Lb, Rb, Lb C 
CG{ai),RB Q CG{a2),LB = {ai,...,ak} etc. B chooses (61,62) ^ Lb x Rb, 
and hence can compute x below etc. Following there is no explicit indication 
of where to select ai and/or a2 from. Hence before attempting a length based 
attack in this case the attacker has to compute the centraliser of Lb, Rb- 

So a third method to select the subgroups is 

A chooses La = G,ai S G, and publishes Lb ^ Cciai), Lb — {ai, ...,ak}, 
B chooses Lb = G, 62 G G, and publishes Ra C Gg(62), Ra = {Pi, 
Hence A chooses (01,02) e G x Cg(62) and publishes the subgroup(s) as a 
set of generators of the centralisers B chooses (61, 62) € GG(ai) x G, and hence 
can compute x etc. Again there is no explicit indication of where to select Oi 
and/or 62 from. Hence before attempting a length based attack in this case the 
attacker has to compute the centraliser of Lb and/or Rb- 
a) If z 7^ e we require the following conditions 



All the above conditions for z ^ e can arise by generalising from properties of 
subgroups used in the SDG or CKLHC schemes for example the second and 
third conditions in (2) arise from the observations that in general [L_B„,_B„] ^ 



[La, Lb] = 1, 
[Lb,Z]^1, 
[Rb,Z] ^ 1, 
[La,Ra] ^ 1, 



\Ra,Rb\ = 1, 
[La,Z\^\, 
\Ra,Z\^\, 
\Lb,Rb\ + 1. 



(2) 



1,[LB„,C/S„] = 1. 
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b) If 



z ~ e we require the following conditions 



[LatLb] = 1, [Ra,Rb] = 1; 
[La,Ra\^1, [Lb,Rb]^1, 
[Lb,Ra]^1, [La,Rb]^1. 



(3) 



• Choose z G B„. 

ii) A(lice) chooses a secret braid ai e La, 02 G Ra, her private key; she 
publishes Ka = aiza2', the pair {w, Ka) is the public key. 

i) B(ob) chooses a secret braid 5i G is, 62 G -Rb: her private key; she 
publishes Kb — bizb2] the pair (w, Kb) is the public key. 

iii) A and B can compute the common shared secret key k as k — aiKBa.2 
and K = biKAb2 respectively. 

i) Choose a public w 

ft, is a fixed collision- free hash function from braids to sequences of O's and 
I's or, possibly, to braids, for which this choice for h. Again the above protocol 
is considered with the commutativity conditions 2 or 3. Note the braids Ka 
and Kb are rewritten for example a normal form to make the protocol secure. 
Full detail are given in [12J. It was shown in 12J that the above key agreement 
protocol is a generalisation of the key protocols given in pU] . [2] . [5] . [7] . 

5. The Difhe-Hellman Decomposition Problem is Equivalent to the 
Multiple Simultaneous Conjugacy Search Problem 

In this section we will show that the DH-DP is equivalent to the MSCSP 
in our key agreement protocol in section 2.1 hence showing the key exchange 
protocols given in [TD] , [5] , [TT] are based on the MSCSP and the key exchange 
protocols in [5],[7j may be based on the MSCSP. In the braid group there are 
various algorithms MSCSP can be solved with non-negligible probability such 
as length based algorithms or the algorithm using ultra summit sets given in [1] 
so for braid group implementations the algorithms we show are based on the 
MSCSP should not be used. Our result also applies to the variant key exchange 
protocol and variant authentication scheme given in '12]. 

We now introduce the concept of a CE (conjugacy extractor) function which 
we build our attack upon. 

Notation- We define a CE (conjugacy extractor) function to be a function 
that on input of information from an user and information transmitted in a 
cryptographic protocol gives as its output a conjugacy equation, by conjugacy 
equation we mean an instantiation of the CSP. We denote i CE functions as 
CEj, or CE if there is just one function involved. 

Theorem 1 

Solving the DH-DP is equivalent solving the MSCSP assuming i/a and/or yt, 
are invertible elements in the DH-DP. 
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Proof 



The proof is for when considering commutativity conditions 2 or 3 in the 
generaUsed protocol above, when condition 3 are used then x — e. Firstly define 
the CE for a protocol based on the DH-DP as follows 

CEi{Rj,ya) — i/aRiVa^ — o-xbRjb^^x^^a^^ — axRjx^^a"^ , Rj £ D 

CE2{Si,yb) — ybSifJi^^ — cxdSid^^x^^c^^ — cxSix~^c~^ , Si £ B 

CEz{R'j,ya) = Va^R'iVa = x'^ a^^ R'jGxb = b-^x~^R'jxb, R'j e C 

CE4{S'j,yb) = Vh^S'iVb - d-^x'^^c-^S'iCxd = d^^x'^ S'jxd, S'j £ A 

R] is chosen from the subset that commutes with the subset that the secret 
a in ya is chosen from. 5/ is chosen from the subset that commutes with the 
subset that the secret b in yi, is chosen from etc. Since all the parameters are 
known to compute the CEi,...,CE4 are easily computable. Note it is sufficient 
for one CE to exist to prove the theorem but we may want to compute more 
than one CE because their difficulty may vary, for example one of the CE of the 
protocols [7 can be used in a known length attack. Obviously Rj (in general) 
does not commute with x (similarly Rj in general does not commute with a 
when conditions 3 are used) as this would mean an attacker could easily recover 
the common secret key. So for 1 < / < u this shows that the key agreement 
protocol in [2] is based on the MSCSP for the secret in either ax or the MSCSP 
in the secret ex. So a or c can be found by right multiplying by x~^ which 
is publicly known. Hence the protocols in |T0], [2] , [6] , [7j , [11] are based on an 
example of the MSCSP as 

((i?i,i?2, ■■■,Ru), iCEi{Ri,ya),CEi{R2,ya), ...,CEi{Ru,ya)))'^ith solution ax. 
((51,52, ...,5„), {CE2{Si,yb),CE2{S2,yb), C£;2(5„, j/b)))with solution ex. 
((i?'i,i?^,...,0,(CSi(i?;,y,),CSi(i?^, 2/,), ...,C£;i(i?:„ya)))with solution b'^x'K 
((5;, 5^, 5;), {CE2{S[,yb). CE2{S'2,yb). CE2{Si, 2/6)))with solution d~^x-\ 

We now give applications of our theorem for the protocols [10], [2] . [6] . [7] . [TT] 
there are algorithm that solve the MSCSP with non-negligible probability such 
as a length attack [5l, so a length attack may be used for the protocol [10] , [2] , [6] , 
[7]. Following the notation in ^ , where G is a group so the security of the 
protocol in [7| is always based on the MSCSP (because we know the generators 
for the elements 02 and bi we can use a length attack so disproving the claim 
in [7] ), we have 

CEi{Ai , Pa) = Pa^AjPa — a2'^w^^a^'^ Aiaiwa2 — a2W^^ Aiwa2, 

Aj G ^ , ^ is a subgroup of Cciai) 
CE2{Bi,Pb) = PsBiPg^ = biwb2Bib^^w-^b^^ ^ biwBiw-^b^\ 

Ri G B, B is a. subgroup of 6*0(62) 

if it may be easy for a some sets {51, 52, gk} of the elements of G to compute 
a part of or all (if G is the braid group there are algorithms that will compute 
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a large part of the centraliser) 

C(5i,...,5fe) = C(5i)n...C(5fe) 
then we can compute the foUowing 

CE3{Ci , Pa) = PaCiP^^ — aiwa2Cia2^w^^a^^ — aiwAjw^^ai^ , 

Cj E C,C a subgroup of Cc{b2) 

CE4{Di,Pb) = P^^DjPb = b^^w-^b];^Dibiwb2 = b^^^w^^ Biwb2, 

Ri E D,D a. subgroup of Cciai) 

Following the notation in [5] let the elements transmitted by Alice and Bob be 
invertible then 

CEi{Ei) = b^^w-^^a^^Eiaiwbi = biw^^ Eiwbi, Ej E B 
CE2{Fi) = b2wa2Fia2'^w~'^b2'^ ^biwFiw~'^b^'^,Bi E A 

and so we can use this equation in a length attack. It may be asked how much 
better is a length attack using the conjugacy equations above for [7],0 (and 
related protocols) compared to the known length attacks on [7], [3], and if the 
above equations can be used to improve the known length attacks (for example 
we may try using one and/or both equations above they can be used to decide 
peeling off the correct generator in combination with the algorithm that decides 
to peel of generators in an existing attack, an example would be if the above 
existing algorithm is unable (i.e. pick at random) to decide which is the correct 
generator to peel then peeling from CEi and /or CE2 may be used to decide 
the correct generator). Following the notation in [TT] we have 

CEi{Gi,c) — cGjc^^ — a^b^Gib^^a^^ — a^'b°'a^^' ,Gi = 6", for some a chosen by attacker 

or using the suggestion of using the element e in [llj we have 

GE2{Hi, c) = cGic-^ = a^'eb^'Hib-'e^'^a-'' = a''{eb°'e-^)a-'' , Hi = 6", 
for some a chosen by attacker. 

Following the notation in [2\ we have 

CEi{Kj,yi) ~ yiKjy^^ — axa^^Kjax^^a^^ = axKjx^^a^^ , Kj E RBr 

CE2{Li, y2) ^ y2Liy2^ = bxb^^ Ljbx^^b^^ = bxLix^^b^\Li E LBi 

CEsiMi, yi) = y^^Miyi = ax^^a^^ Mjaxa'^ ax^^ Mjxa^^ , Kj E RBr 

GEi{Ni,y2) = V2^Liy2 bx^^b-^ Njbxb'^ = bx~^Nixb-\Li E LBi 
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Following the notation in [TT wc have 

CEi{Ti,w.i) WiTiw^^ = yi-iViy~'^KiyiV~^y~\ = yi^iv.,K iv~'^ y~\ 
CEi{Ti,wl^) = wl^TiWi = yiV~'^yl\Kiyi^iViyl^ = yiV^'^Kiv^y^^ 
Ki is chosen from the subgroup that generates the elements Xj 
Ui is chosen from the subgroup that generates the elements yj 
So the secrets yi, ...,?/fc can be recovered and hence Vi = y~\'Wiyi 

CE2{Ul,w) = wUlW~^ = XQViXiV2...VkXkUlX~^^v'i^^ ...V2^X^^V^^Xq^ 
= XQViXiV2--.VkUlV'i^^ ...v:2^X^^V^^Xq^ 

recovering xoViXiV2.--Vk gives x^ = {xQViXiV2---Vk)~'^w similarly 
CE2{Uj,w^^) = w^^Uiw gives xq- Because all Vi can be recovered 
so similarly repeating the attack above using 

CE2{Ui, {xoVi)~'^wx^^v^^) for xi,Xk-i and similarly by repeating 
again all the Xi can be recovered. 

Following the notation in [10 wc have 

CEi{Pi,ci) = ciPjCi^ — aixa2Pia2^x^^ai^ = aixPix^^a^"^ , Pi G UBr 
CEi{Qi,yi) = C2QiC2^ =bixb2Qib2^x^^b^^ =hixQix^^b^^,Ki ^ LBr 

The CKLHC protocol in [10] was introduced as an improvement of the KLCHKP 
protocol which it is a generalisation/modification of but we have shown the 
CKLHC does not improve the security of the KLCHKP protocol as they are both 
based on the MSCSP. This means using the KLCHKP and CKLHC cryptosys- 
tems is no more secure than using the AAG (Anshel-Anshel-Goldfeld) scheme 
[1] in the connection that they can all be broken using by solving the MSCSP. 
Hence this means there is no need to use the CKLHC cryptosystem any longer. 
The theorem imphes the Turing reduction of the DH-DP to the MSCSP (MSCSP 
(Xt DH-DP) for the case when the above DH-DP have related solutions, clearly 
a conjugacy extractor can be feasibly computed- that is in polynomial time and 
polynomial space (for parameters used in the CKLHC cryptosystem) using a 
finite number of group operations. If the conjugacy extractor is not computable 
in polynomial time and polynomial space in the connection of breaking a cryp- 
tographic protocol then the above protocol may be secure from an attack by 
solving the MSCSP, we may consider a generalisation of the MSCSP in the 
above cryptographic protocol where G is a semigroup instead of a group. Note 
if we have one CE then we exactly have the Turing reduction of the DP to the 
MSCSP (MSCSP cc^DP) , and hence the Turing reduction of the DH-DP to 
the MSCSP (MSCSP ay DH-DP). 

In [13] an authentication scheme is given based on the problem of shifted 
conjugacy search problem (SCSP). It is not stated in [14] not to select r (the 
random value used in the commitment x = r*p — r-dp-ai- dr^^) from a 
publicly known subgroup. Then an attack is as follows. 
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1. Suppose r G R where R — {ai, ...,0;*;} is a pubhcly known subgroup of 
Bn- In this step it is required the attacker just needs to find one element that 
commutes with r and not al least with dp ■ ai (using a chosen algorithm by the 
attacker) to show that SCSP can be reduced to solving the CSP. The attacker 
picks a subgroup of R given by the generators gi,...,gk- Then the attacker 
computes all of or a large part of 

N = C{ai,...,ak) = C{ai) n ...C(ak). 

2. Then 

CEi{Ni,r *p) ^{r-dp-ai ■ dr~^)~'^ Ni{r ■ dp ■ ai ■ dr~^) = 

dr ■ a^^ ■ dp~^ ■ r^^ ■ Nj ■ {r ■ dp ■ ai ■ dr~^) = dr ■ a^^ ■ dp^^Njdp ■ ai ■ dr~ 

will be true. Ni e N, 1 < I < M. The the protocol can be based on the MSCSP 
with 

((Ni,N2,...,NM),{CE{Ni,r*p),CE{N2,r*p),..., CE{Nm ,r*p))) 
with solution {dr ■ a^^ ■ dp^^ , dp ■ ai ■ dr^^), O = dp ■ ai ■ dr~^ . 

and r can be found by computing (crj"^ • dp~^0)~^ = r, there is a similar attack 
if s (Alice's private key) is chosen from a subgroup that is publicly known. Note 
the similar attack with Nj commuting r ■ dp would mean the SCSP is just the 
CSP (no extra computation using d is required). 

As a variant of the above algorithm an attacker may try to compute an 
element Nj e C{L) then it may be possible to use Nj instead of Nj in the 
attack above where L^r^p or _L = r*p, so in this variant knowledge of s 
{L = p here) or r being chosen from a subgroup is not required. A different 
second CE on the authentication scheme in [Mj or the SCSP, is suppose in a 
general case we have a pair of examples of the SCSP that have the same secret 
element x — r * p^x ^ r * p (the notation here follows [14j with the secret 
element r) then 

CE2{x,x-^) = 

CE2{r*p,r*p) — X ■ X 

= {r ■ dp ■ <7i ■ dr^^) ■ {r ■ dp ■ <Ji ■ dr~^)~^ 

= {r ■ dp ■ <7i ■ dr^^) ■ dr ■ a^^ ■ dp ■ r^^ 

= r ■ dp ■ dp ■ r^^ 

so the secret r can be found by solving the CSP pair {dp-dp CE{r*p, r*p )) 
for r, there is a similar CE for dr (use x^^ ■ x instead of x ■ x ~^ and then dr is 
transformed to r etc). Then the attack waits until 6 = 1 is so in this case Alice 
send to Bob r * s — r ■ ds ■ ai ■ dr~^ hence the attacker computes the private 
key s — r^^ ■ {r =¥ s) ■ dr ■ ctJ"^. We note the above attacks is can be used to 
answer question 2.6 in [14 (with y = p in th CSP). We note our attack can be 
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used to solve the shifted conjugacy decision problem. Our results suggest that 
CE functions should be hard to compute hence semigroups may be considered 
because then the theorem 1 may be false because the elements ya and/or yi, 
are not invertible. This suggestion applies to any hard problem such as the 
EDL problem below. Note in the algorithms in CE computations it may be 
centraliser element (s) (call these pi) that multiply the secret (s) cancel out and 
it can be shown these factors in the centraliser are efficiently computable, for 
example one way to do this is if pi is a power of the fundamental braid then we 
can estimate a power of the fundamental braid from the public elements (for 
example using a length function) and so recover a pi , or instead find this power 
by brute force. 

We now consider a problem related to the SCSP/CSP which is given a 
semigroup G, and publicly known functions u : G Gi,v : G2 —>■ G^w : 
G3 G, Gi,G2,G3 are subsets of G, and pubhcly the publicly known ele- 
ments yi — u(r)v{pi)w{r^^), v{pi), 1 < i < n find if the element r. We ob- 
serve that the problem generalises the twisted conjugacy problem [T5] and the 
doubly twisted conjugacy problem [13], e.g. with i = l,u an endomorphism, 
V, w the identity map we recover the twisted conjugacy problem, G a group, 
Gi = G, G2 = G, G3 = G; so we refer to the above problem as the GTCP (gen- 
eralised twisted conjugacy problem) which we now describe solutions for. Now 
consider the GTCP with i > 1, select a pair i,j with v{pi) ^ v(pj),l < i,j < n 
we have the conjugacy extractor 

CEi{y^,yj) = yt-yj^ 

CEi{u{r)v{pi)w{r~^),u{r)v{pj)w{r^^)) = u{r)v{pi)w{r~^) ■ {u{r)v{pj)w{r~^))~^ 

— u{r)v{pi)w{r^^) ■ w{r^^)^^v{pj)^^u{r)~^ 

= u{r)v{pi)v{pjy'^u{ry'^ 

so here we solve the CSP pair {v{pi)v{pj)~^ ,GEi{yi,yj)). Once u{r) is obtained 
(attempt to) use the inverse of u to get r. 

GE2{yr,yj) = y~^ ■ yt 

CE2{u{r)v{pi)w{r~^),u{r)v{pj)w{r^^)) = {u{r)v{pj)'w{r^^)y^ ■ u{r)v{pi)w{r~^) 

~ w{r^^y^v{pjy^u{ry^ ■ u{r)v{pi)w{r^^) 

= w{r^^y^v{pjy^v{pi)'w{r^^) 

so here we solve the CSP pair {v{pj)'^v{pi),CE2{yi, yj))- Once w{r) is obtained 
use the inverse of w to get r. Note for one of the above CE functions for the 
twisted conjugacy problem the problem is just the conjugacy search problem. 
The above can be repeated for different i,j to get a reduction to the MSCSP. 
Another method to solve the GTCP as follows. 

1. Suppose Gi = {ai, ...,afc},G3 = {f3i, ...,/?;} are publicly known. In this 
step it is required that one element that commutes with r is to be found. Pick 
subgroups of Gi, G3 given by the generators gi, ■■■,gL, hi, h^. Then compute 
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all of or a large part of 



2. Then 



and 



N = C{ai,...,ak) = C{ai)n...C{ak). 
M = C{(3„...,l3,) = C{f],)n...C{(3i). 



CE3{Mi,y,) = u{r)v{p,)w{r-^)Mi{u{r)v{p,)w{r-^))-^ 
u{r)v{pi)Miv{piy^u{ry^ 



CEi{Ni,y,) = {u{r)v{p,)w{r-^))-^Nju{r)v{p,)w{r-^) = 
w{r-^)-\{pj)-^Njv{p,)w{r-^)) 

Nj e N, Mi e M, 1 < I < m,l < J <n. Hence using CEaiMi, yi),CEi{Ni, y^): 
the GTCP has a solution respectively in the MSCSPs with 

((TVi, iV2, 7V„), (CS4(^i, y,J, C^4(iV2, ...,CE^{N^, 2/,J)) 
with solution w{r^^)^^v{pj)^^] 



( (Ml , M2 , . . . , ) , (C^3 (Ml , J , ( Af3 , 2;., ) , . . . , (M„ , ) ) ) 
with solution u{r)v{pi)] 

; from w(r~^)~^w(pj)~^, u{r)v{pi) we can obtain r by using a right multipli- 
cation and using the inverses of w, u; this show the twisted conjugacy problem 
can be deterministically reduced to the MSCSP. We observe the algorithm in 
section 7 below can be used to attempt to solve the twisted or doubly twisted 
conjugacy problem with or without using u or v. Observe once we have found a 
solutions to the twisted conjugacy problem, SCSP this means we can solve the 
decision version of the twisted conjugacy problem and SCSP. 

6. A Solution for the EDL type problem in Non-commutative Semigroups. 

The EDL braid type problem was proposed in [9] where it is assumed to be 
hard. Following the notation in our definition above of the EDL we have the 
following theorem. 

Theorem 2 

Given (the DP equations) ya = uav, yi, = whx in the EDL is sometimes 
equivalent to solving the CSP if ya,yb are both invertible elements. 

Proof 

We will solve this problem by solving a system of DP equations for certain 
values of the secrets so our proof can be used to solve a system of DP equations 
for example in showing above the shifted conjugacy based protocol is based on 
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the CSP. Assume w = u and x = v,a ^ b, then j/q — uav, yt = ubv, and so the 
CE functions give 

Va^Vb v^^a-^bv 

and so we can solve the CSP pairs for (a5~^, TjaV}^^), and {a^^b, y'^yt) for gi = u 
and §2 = V respectively using an algorithm for the CSP. The the verification 
(can be done efficiently using the algorithms for the word problem when G is 
the braid group e.g. see [TU]) ya — 9iO-92, 2/6 — .9i^ff2 will be true by the above 
assumption, hence we have shown the EDL to be true in this case. For some 
examples of the CSP there are fast algorithm for it for example see [J] hence 
the assumption in [9] that the EDL is hard is not always true. If we know the 
generators of the subgroups A and B then we may use a length based algorithm 
to recover the secret element with non-negligible probability. 

We re-define again the EDL problem more generally as follows 
Public information: G is a Semigroup. A, B,C,D are subsets of G. ai,bi, Xi,yi £ 
G with yi = aiXibi, I < i < m 

Secret Information: Ui G Ai, bi G Bi, (Ai and Bi are subgroups). 

Objective: Decide if F^^{yJnF^^{yJ...nF^^{yJ ^ 0.. Where f)3(a) = {(a, 5) G 

Bn X B„ :a = a/36}. 

Theorem 3 

Given the generalised EDL above is sometimes equivalent to solving the CSP. 
The generalised EDL may be partially solved in the connection a subset integers 
ti,t2, ■■■,tr in [1,to] we can decide if F^^_^ {VtJ^Pxt^ iVt^)--- ^ ^^t^ (z/tj ^ ^■ 

Proof 

Again we will solve this problem by solving the a system of DP equations 
for certain values of the secrets so our proof can be used to solve a system of 
DP equations. Assume Oi = Oj and bi = bj for all i,j G [1,™] and i ^ j then 
yi — OiXibi, yj — OjXjbj, and so the CE functions give 

yiyj^ = OiXixJ^a"^ 

yr^Vj = K^x-^xjb, 

and so we can solve the CSP pairs (xixj^ ,yiyj^), and {x~^Xj,y~^yj) for the 
solutions gi = at and g2 = bi respectively using an algorithm for the CSP. We 
can get more conjugacy extractor functions by choosing different values for i and 
j. The the verification (can be done efficiently using the algorithms for the word 
problem when G is the braid group e.g. see [TU]) ya —"^ giXa92, yt =' 9iXbg2 
will be true by the above assumption for all (a, b) = hence we have shown 

the EDL to be true in this case. 

If we know the generators of the subgroups A and B then we may use a length 
based algorithm to recover the secret element with non-negligible probability. 

The EDL can be partially solved if it is true that the assumption Oi — aj 
and bi — bj for at least two integers i and j, i,j G [i-,m\ and i ^ j. Then the 
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proof that the EDL can be partially solved is the same as above except there 
are fewer choices for i and j. 

7. Second Algorithm using CE Functions 

Given (the DP equation) u = xaz. This attack reveals partial information 
about the secret z or totally recover z. This attack is a generalisation of our 
attack on the DP by using a MSCSP. 

1. The attacker picks elements Sj according to some criteria relating to 
commutativity, for example elements Sj may be picked randomly or Si may be 
composed of a few Artin generators as these may commute to some degree with 
z. 

2. Then for 1 < / < M for a sequence of integers Tj 

CEi{Si,u) — uSju^^ ~ xazSjz^^a^^x^^ — xazSiz^^a^^x^^ 
where (with probability p) z is a partial factor of z for some / this means 

Z = ZTjZT,- 

3. We solve for each / the CSP {Si, CEi{Si,u)) for the solution xaz) and 
hence compute ztj — {{xaz~^)~^xaz)^^ . Note if Sj is selected from the cen- 
traliser of z then we can use the MSCSP at this step (so this shows DP is Turing 
reducible to MSCSP). 

4. We now find (in some way) z using the information {Si, xaz, zt,) and the 
other information used in the protocol. One of the simplest choices to implement 
this step is trying to find z for each / by brute force and hence possibly recover 
z. 

A variant of the above attack is after ztj is recovered is to repeat at the 
attack (at least once) by iterating with uz^^ instead of u (and obviously all 
other values may be different) so in this way we may be able to find a bigger 
factor of z. It may be true (with some probability P2) that z contains a partial 
factor of a which means the CSP is solved to give 'ZTjaTj where axj is some 
partial factor of a. Then the simplest choice at this step to recover z is to find 
ctj by brute force and use axi to recover z. 

Conclusion 

We have shown the protocols [10] , [2] , [6] , [7] , [11] , [13] , [14] can have security 
based on the MSCSP. We have shown the DP and DH-DP can be solved by 
the MSCSP. Our theorem 1 implies that the CKLHC cryptosystem and related 
cryptosystems are MSCSP based so are no more secure than using the AAG 
protocol [T]. Our theorem 1 implies that semigroups should (for G) be used for 
the protocol in [T^ to be secure so not based on the MSCSP. We should not 
use the CKLHC protocol in [10] or related protocols (which are suggested to 
be used in braid groups) compared to using the AAG protocol as it is no more 
secure than using the AAG in the connection they are based on the MSCSP. 
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